DNS Tool

Engineer's DNS Intelligence Report

Generated 9 Mar 2026, 16:26 UTC
Duration 60.0s
Version v26.35.32
Integrity 7036d6f5c3c0e83d6d1c4002d88f3708501d4a2ab66104a235c102cd8e6ac7f3251d8bceeaac4b93e0918cb9c7c954338506bfd1e357e78dac866696f4a20be7

TLP:AMBER

Limited disclosure — recipients may share within their organization only

Subject Domain

apple.com

Engineer's DNS Intelligence Report

apple.com

9 Mar 2026, 16:26 UTC · 60.0s ·v26.35.32 · SHA-3-512: 7036✱✱✱✱ Verify

Executive Methodology

Recon Mode Snapshot Re-analyze New Domain

Footprint 8 SaaS Services

DNS Security & Trust Posture

Risk Level: Low Risk

5 protocols configured, 4 not configured Domain appears to be in deliberate DMARC deployment phase — quarantine fully enforced with reporting, consider upgrading to reject Why we go beyond letter grades

1 recommendation 2 monitoring

Analysis Confidence (ICD 203)

MODERATE 67/100

Resolver agreement is inconsistent for some protocols, limiting confidence. Data currency and system maturity are adequate.

Accuracy 60% Currency 74/100 Maturity verified

Limiting factor: Resolver agreement is low for this scan — some protocols returned inconsistent results across resolvers

Intelligence Currency

Data Currency: Adequate 74/100

ICuAE Details

Currentness Excellent TTL Compliance Excellent Completeness Degraded Source Credibility Excellent TTL Relevance Degraded

DNS data shows some aging or gaps — consider re-scanning for critical decisions

The following DNS record TTLs deviate from recommended values. Incorrect TTLs can cause caching issues, slow propagation, or unnecessary DNS traffic.

Record Type	Observed TTL	Typical TTL	Severity	Context
A	`474s`	`1 hour (3600s)`	medium	A TTL is below typical — observed 474s, typical value is 1 hour (3600s). Short TTLs increase DNS query volume but enable faster propagation. If you are preparing for a migration or need rapid failover, this may be intentional (RFC 1035 §3.2.1). For steady-state production, consider 3600 seconds per NIST SP 800-53 SI-7 relevance guidance. Use the TTL Tuner for profile-specific recommendations.
AAAA	`241s`	`1 hour (3600s)`	high	AAAA TTL is below typical — observed 241s, typical value is 1 hour (3600s). Short TTLs increase DNS query volume but enable faster propagation. If you are preparing for a migration or need rapid failover, this may be intentional (RFC 1035 §3.2.1). For steady-state production, consider 3600 seconds per NIST SP 800-53 SI-7 relevance guidance. Use the TTL Tuner for profile-specific recommendations.
CAA	`234s`	`1 hour (3600s)`	high	CAA TTL is below typical — observed 234s, typical value is 1 hour (3600s). Short TTLs increase DNS query volume but enable faster propagation. If you are preparing for a migration or need rapid failover, this may be intentional (RFC 1035 §3.2.1). For steady-state production, consider 3600 seconds per NIST SP 800-53 SI-7 relevance guidance. Use the TTL Tuner for profile-specific recommendations.
NS	`5594s`	`1 day (86400s)`	high	NS TTL is below typical — observed 5594s, typical value is 1 day (86400s). Short TTLs increase DNS query volume but enable faster propagation. If you are preparing for a migration or need rapid failover, this may be intentional (RFC 1035 §3.2.1). For steady-state production, consider 86400 seconds per NIST SP 800-53 SI-7 relevance guidance. Use the TTL Tuner for profile-specific recommendations.
TXT	`1738s`	`1 hour (3600s)`	medium	TXT TTL is below typical — observed 1738s, typical value is 1 hour (3600s). Short TTLs increase DNS query volume but enable faster propagation. If you are preparing for a migration or need rapid failover, this may be intentional (RFC 1035 §3.2.1). For steady-state production, consider 3600 seconds per NIST SP 800-53 SI-7 relevance guidance. Use the TTL Tuner for profile-specific recommendations.
SOA	`6 hours (21600s)`	`1 hour (3600s)`	high	SOA TTL is above typical — observed 6 hours (21600s), typical value is 1 hour (3600s). Long TTLs reduce DNS query volume but slow propagation when records change. Consider 3600 seconds for a balance of performance and flexibility per NIST SP 800-53 SI-7 relevance guidance.

Big Picture Questions

How often do you actually change this record? If it hasn’t changed in months, a short TTL is generating unnecessary DNS queries without any benefit.
Are you preparing for a migration or IP change? Short TTLs make sense temporarily — but should be raised back to 1 hour (3600s) once the change is complete.
Every DNS lookup adds 20–150ms of latency. With a 60s TTL, returning visitors trigger a fresh lookup every minute. With 3600s, they get cached responses for an hour — faster page loads, no extra infrastructure needed.
Google runs A records at ~30s because they operate a global anycast network and need to steer traffic dynamically. For a typical website without that infrastructure, copying those TTLs increases query volume with zero upside.

Tune TTL for apple.com

Reference: NIST SP 800-53 SI-7 (Information Integrity) · RFC 8767 (Serve Stale) · RFC 1035 §3.2.1 (TTL semantics) Note: Some DNS providers (e.g., AWS Route 53 alias records, Cloudflare proxied records) enforce fixed TTLs that cannot be modified. If a finding targets a record you cannot edit, it reflects the observed value rather than a configuration error on your part.

Primary NS ns-ext-prod.jackfruit.apple.com

Serial 2026030901

Admin dnscontact.apple.com

Provider Unknown

Timer	Value	RFC 1912 Range
Refresh	`300s`	1,200–43,200s (20 min – 12 hrs)
Retry	`300s`	Fraction of Refresh
Expire	`3628800s`	1,209,600–2,419,200s (14–28 days)
Minimum (Neg. Cache)	`300s`	300–86,400s (5 min – 1 day)

Refresh: SOA Refresh is 5 minutes (300s), below the RFC 1912 recommended minimum of 1,200 seconds.

RFC 1912 §2.2

Suggested Scanner Configuration High Confidence

Based on 20 historical scans of this domain

Parameter	Current	Suggested	Severity	Rationale
timeout_seconds	`5s`	`8s`	low	Average scan duration is 34.4s, suggesting DNS responses are slow for this domain. Increasing timeout from 5s to 8s prevents premature resolution failures. RFC 8767

Suggestions require explicit approval before applying. No automatic changes will be made.

Email Spoofing

Protected

Brand Impersonation

Protected

DNS Tampering

Unsigned

Certificate Control

Configured

Recommended

Upgrade DMARC policy from quarantine to reject (p=reject) for maximum spoofing protection

Monitoring

External domain rua.agari.com has not authorized apple.com to send DMARC reports (missing apple.com._report._dmarc.rua.agari.com TXT record), External domain ruf.agari.com has not authorized apple.com to send DMARC reports (missing apple.com._report._dmarc.ruf.agari.com TXT record)

Configured

SPF, DMARC (quarantine, 100%), DKIM, BIMI, CAA

Not Configured

MTA-STS, TLS-RPT, DANE, DNSSEC

Priority Actions 4 total Achievable posture: Secure

Medium Enable DNSSEC

DNSSEC is not enabled for this domain. DNSSEC provides cryptographic authentication of DNS responses, preventing cache poisoning and DNS spoofing attacks.

RFC 4035

Medium Upgrade DMARC to Reject

Your DMARC policy is set to quarantine. Upgrade to p=reject for maximum protection — reject instructs receivers to discard spoofed mail entirely rather than quarantining it.

A reject policy provides the strongest protection against domain spoofing.

Field	Value
Type	`TXT`
Host	`_dmarc.apple.com` (update existing DMARC record)
Value	`v=DMARC1; p=reject; rua=mailto:dmarc-reports@apple.com`

RFC 7489 §6.3

Low Add TLS-RPT Reporting

TLS-RPT (TLS Reporting) sends you reports about TLS connection failures when other servers try to deliver mail to your domain.

TLS-RPT sends you reports about TLS connection failures to your mail servers.

Field	Value
Type	`TXT`
Host	`_smtp._tls.apple.com` (SMTP TLS reporting record)
Value	`v=TLSRPTv1; rua=mailto:tls-reports@apple.com`

RFC 8460

Low Deploy MTA-STS

MTA-STS enforces TLS encryption for inbound mail delivery, preventing downgrade attacks on your mail transport.

MTA-STS tells sending servers to require TLS when delivering mail to your domain.

Field	Value
Type	`TXT`
Host	`_mta-sts.apple.com` (MTA-STS policy record)
Value	`v=STSv1; id=apple.com`

RFC 8461

Registrar (RDAP) OBSERVED LIVE

Nom-iq Ltd. dba COM LAUDE

Where domain was purchased

Email Service Provider

Unknown

Moderately Protected

Web Hosting

Unknown

Where website is hosted

DNS Hosting

Unknown

Where DNS records are edited

Email Security Methodology Can this domain be impersonated by email? Unlikely SPF and DMARC quarantine policy enforced

SPF Record RFC 7208 §4 Verified

Does this domain declare who may send email on its behalf? Yes

Success ~all 2/10 lookups

SPF valid with industry-standard soft fail (~all), 2/10 lookups

v=spf1 include:_spf.apple.com include:_spf-txn.apple.com ~all

RFC 7208 Conformant — This SPF record conforms to the syntax and semantics defined in RFC 7208 §4.

RFC Failure Mode: Unlike DMARC (where unknown tags are silently ignored per RFC 7489 §6.3), SPF with unrecognized mechanisms produces a PermError per RFC 7208 §4.6 — the record fails loudly rather than silently.

Related CVEs: CVE-2024-7208 (multi-tenant domain spoofing), CVE-2024-7209 (shared SPF exploitation), CVE-2023-51764 (SMTP smuggling bypasses SPF)

~all is the industry standard. Google, Apple, and most providers default to soft fail. CISA (BOD 18-01) and RFC 7489 confirm that DMARC policy — not SPF alone — is the primary enforcement control. Using ~all allows DKIM to be evaluated before a DMARC decision is made. This domain uses ~all + DMARC quarantine — good protection. Moving to p=reject would achieve the strongest stance.

DMARC Policy RFC 7489 §6.3 Verified

Are spoofed emails rejected or quarantined? Quarantined, not rejected

Rules of Engagement

What You May Do

What You May Not Do

Engineer's DNS Intelligence Report

Intelligence Dissemination

Email Security Methodology Can this domain be impersonated by email? Unlikely SPF and DMARC quarantine policy enforced